The regular expression says there is a risk of Denial of Service Attacks (ReDOS) that increase processing time exponentially.
http://blog.ohgaki.net/regex-dos-redos
In fact, running the following code in the Mongo Shell JavaScript will result in 100% CPU utilization for a long time
regex=/(a+)+Z/
regex.exec ("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!")
However, when you search for data in a collection by regular expression, you will get results immediately
db.test.insert({_id: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!})
db.test.find({_id:/(a+)+Z/})
Are queries using regular expressions in MongoDB guaranteed to be free of ReDOS vulnerabilities?
I looked for the MongoDB document, but I couldn't find out if I could use the string that I received remotely for the query regular expression.
The only thing I found was:
https://www.mongodb.com/alerts/
Remotely trigger a special of service (crash) via a specific broken regular expression
It appears that addressed the regular expression ReDOS attack in , but no document was found that it was acceptable to use it clearly.
regular-expression security mongodb
MongoDB versions 2.6.8 and earlier and 3.0.0 used PCRE library version 8.30 with ReDOS vulnerability on CVE-2014-8964Updating MongoDB to a later version eliminates this PCRE vulnerability.
See
English only
SERVER-17252
Also, the version is written on the right side of the post you saw.
https://www.mongodb.com/alerts/.
© 2024 OneMinuteCode. All rights reserved.